Use of the :utf8 I/O layer (as opposed to :encoding(UTF8) or :encoding(UTF-8)) was suggested in the Perl documentation up to version 5.8.8.
This may be OK for output,
but on input :utf8 does not validate the input,
leading to unexpected results.

An exploit based on this behavior of :utf8 is exhibited on PerlMonks at http://www.perlmonks.org/?node_id=644786.
The exploit involves a string read from an external file and sanitized with m/^(\w+)$/,
where $1 nonetheless ends up containing shell meta-characters.